SSL证书自动化如此简单-certbot实践
用户10002156
发布于 2024-01-05 03:12:35
发布于 2024-01-05 03:12:35
代码可运行
运行总次数:0
代码可运行
安装Certbot工具
sudo apt-get update
sudo apt-get install certbot
certbot --versionImportError: cannot import name 'appengine' from 'urllib3.contrib' (/usr/local/lib/python3.10/dist-packages/urllib3/contrib/init.py) 解决方案,卸载重装
pip uninstall urllib3pip install urllib3
设置域名解析
申请证书
方式一:用指定根目录的方式,会在根目录下创建一个.well-known来验证域名的所有权
certbot certonly --webroot -w /root/www/html -d tmp1210.visionmedicals.cn证书生成完毕后,我们可以在
/etc/letsencrypt/live/目录下看到对应域名的文件夹
方式二:certbot 还有另外一种模式 --standalone , 这种模式不需要指定网站根目录,他会自动启用服务器的443端口,来验证域名的归属。我们有其他服务(例如nginx)占用了443端口,就必须先停止这些服务,在证书生成完毕后,再启用。
# sudo certbot certonly --standalone --email jxiao@visionmedicals.com --agree-tos -d xjtmp.test.visionmedicals.cn
certbot certonly --standalone --email jxiao@visionmedicals.com --agree-tos -d tmp1210.test.visionmedicals.cn自动续期证书
免费的Let's Encrypt证书的有效期为90天,因此我们需要设置自动续期,以确保证书不会过期。Certbot提供了一个方便的命令行工具来自动续期证书。
设置定时任务
sudo crontab -e0 0 * * 0 certbot renew --quiet这将在每周日的午夜零点自动执行证书续期操作。
实践demo
step1.先配置好域名解释
step2.配置一个新的站点
使能够正常http访问
server {
listen 80;
listen [::]:80;
server_name tmp1210e.visionmedicals.cn;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
step3.生成证书到指定目录
root@iZ7xva33l57s9vs0useftcZ:~/software/docker/nginx/config/conf.d# certbot certonly --webroot -w /root/www/html -d tmp1210e.visionmedicals.cn --config-dir /root/software/docker/nginx/config/conf.d/cert/ --email jxiao@visionmedicals.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for tmp1210e.visionmedicals.cn
Successfully received certificate.
Certificate is saved at: /root/software/docker/nginx/config/conf.d/cert/live/tmp1210e.visionmedicals.cn/fullchain.pem
Key is saved at: /root/software/docker/nginx/config/conf.d/cert/live/tmp1210e.visionmedicals.cn/privkey.pem
This certificate expires on 2024-03-09.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
We were unable to subscribe you the EFF mailing list. You can try again later by visiting https://act.eff.org.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -step4:更新配置
server {
listen 443 ssl;
server_name tmp1210e.visionmedicals.cn;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
ssl_certificate conf.d/cert/live/tmp1210e.visionmedicals.cn/fullchain.pem;
ssl_certificate_key conf.d/cert/live/tmp1210e.visionmedicals.cn/privkey.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:1m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
server {
listen 80;
server_name tmp1210.visionmedicals.cn;
rewrite ^ https://$host$1 permanent;
}本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2024-01-04,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
暂无评论
推荐阅读
推荐阅读
相关推荐
Nginx配置使用certbot自动申请HTTPS证书
更多 >
腾讯云开发者
